On Thu, 18 Apr 2013, Kent_Landfield@McAfee.com wrote:
: Thank you for the comment as I think it is spot on. I too think a more
: expanded Option A is an reasonable alternative. I have stated before
: McAfee felt that 6 digits was just too short for the future proofing and
: if extended to 7 or more we may have changed our vote. I see problems
: with option B but future proofing was really the driving factor for our
: decision. I'd like to second Harold's request to reconsider Option A
: length.
Could McAfee, or anyone who voted for 'B' due to the 'future proofing'
concern please address the repeated comments about how that is absurd?
In case you missed it in Steve Christey's CVE vote email:
It should be noted that the team feels that any circumstance(s) that
would require the issuance of (on average) over 2,700 CVE IDs per day
(999,999 IDs per year) would reflect a fundamental change in the
meaning and usage of CVE IDs. Put another way, the "CVE" that requires
the issuance of over 2,700 IDs would not be the CVE of today.
As Carsten Eiram from RBS noted:
1) A purely theoretical explosion in vulnerability reports and coverage
(keeping in mind that MITRE currently has trouble keeping up with the
existing trend and don't guarantee all vulnerabilities will be assigned
CVEs). A change from 8K-10K vulnerabilities reported per year to > 1
million is simply unrealistic. Even if someone starts auditing a ton of
projects with automated code scanning tools and without any manual
follow-up analysis just dumps the results on some mailing list, we
would be hard-pressed to exhaust 6 digits. We would be discussing
resource problems long before hitting those numbers, as neither CVE nor
any CVE processors will be able to keep up with such a load.
So I politely request that anyone voting against 'A' and cited this
concern please discuss it first. I can't understand how this is a real
concern, especially in conjunction with several companies that basically
said "option B is much easier on our current system, we will have to
change less" which seems exceedingly selfish, and not in the interest of
the community so much as the interest of your specific company.
Thank you,
Brian